The new normal. 5 ideas for improved user security

There have always been bad guys on the Internet, that's nothing new. But as more and more people use the web for daily tasks, the amount of personal information out there is growing rapidly. That then feeds on itself that if you're in possession of personal information, you can potentially in turn wreak more havoc by using that information on more parts of the web.

Meanwhile, regulations like the GDPR, are putting much stricter obligations on businesses and ogranisations to report any breaches of security. Meaning not only does making your user's data more secure protect your users, it also protects you - the company behind the website - from hefty fines.

I've made some suggestions to a client recently that I thought I'd document here that just take the "usual" account management functions of a typical website up a notch to make it slightly harder for hackers to run riot.

2 Factor Authentication 2 Factor Authentication, or 2FA, is where you ask for more than just an email address (or username) and password to login. It's like when you log into your online banking with the little calculator they gave you, or more commonly you receive a text mesage with a short code that you need to enter when you try to log into a website.

Historically websites (outside of the banking / financial services) have shied away from imposing this on users as it can be seen as a bit of a hurdle and UX is typically thought to be about as few steps as possible to get people to where they want to be. But the user experience of being told your data has been compromised, or that your account has been accessed, is about as bad as UX can get so more organisations are looking at the bigger picture here. There is also the subtle user experience of showing your visitors you're up to date with security methodologies and take their privacy seriously, which is of course a very strong message to send.

2FA can be achieved in a few ways - such as by asking someone to have a mobile number registered and then send them a text message when they log in, or by using an app such as Authy , owned by Twilio, or Google Authenticator. Google Authenticator works by displaying a code on your phone that you enter, without the need for a text message.

The point of 2FA is that if someone's password is compromised, then a hacker still can't get into the user's account without also having access to another device like their mobile phone.

Depending on your user base and how your site is used, you may opt for a more passive 2FA where the code is only required if someone appears to be logging in from a new device or different geographical area that normal. Personally in my work, we're recommending that at least site admins have 2FA enabled, even if you don't role it out for members of the public.

Remember of course also that you can make 2FA optional for users, so those who appreciate the increased security can turn it on, and those who don't want the hassle can leave it off but then at least you've given them the option.

Password and email updates Often when you go to change your password on a website it asks you to enter your old password first, which prevents a hacker who has found another way into that account from changing it, or stops them if they've accessed a logged in device. However if they've logged in as that user after sourcing the password then being asked to repeat it won't necessarily stop them.

Instead, if updating your password involved sending an email to the registered address, anyone who'd just gained access to the website wouldn't be able to change it and therefore wouldn't be able to take control of the site and lock the main user out.

This would of course have to work hand in hand with an email verification on an email address reset too - so if someone wished to change their email address, they'd need to click a link sent to their old email to prove this was a legitimate request. That's of course an issue if someone is changing their email address because they've lost access to their old email account, but it's one of those calls you've got to make with regards to security for all vs. a bit more customer support for a few.

This approach is useless if a hacker has gained access to a user's email account, but there are many different types of hacks and this required email verification in more places helps if a password has been compromised. This doesn't necessarily - or even usually - mean the website has had a breach of their data - there are many ways passwords can be harvested.

Routine password updates We've only ever done this for one client, for whom security was very important, but you can change your users' passwords every 90 days (or similar) so that if they are using a password that is new and not so likely to be featured on a black market list of hacked passwords. It's not ideal for a user, but it's something to consider if you need to be extra vigilant, and hope your users appreciate that.

Strength checkers Consider a password strength checker so that when people create a password they have to meet certain rules and you show them visually how good that password is deemed to be. These aren't fool proof, and too many rules can be annoying (there's nothing more annoying than password rules which aren't made clear and you're needing to try to guess!) so the approach where the rules are visually ticked off from a list when they're met, as the user types, can be a good user experience.

Login monitoring If you're storing IP addresses of your users you need to make sure that's clear in your privacy policy under GDPR, but being able to show people a history of when they've logged in and where from. IP locations aren't always accurate so you should flag this up rather than panic people, but the timing will be more recognisable to users.

You may wish to show people when they log in "Thanks, you last logged in at XX from XXX - if this wasn't you please contact us" but that can be a bit alarming if users aren't expecting that and make them assume there's an issue when there isn't. Something more subtle can just be a page in their account management area that lists their previous logins.

Instagram go so far as to display a map of where a login happened from (but, only if you dig deeply for it so it's there but not alarming and in your face) but the map was wrong for me due to how my Internet is set up (and I'm used to websites thinking I'm in a part of the country I'm not) so more information isn't always beneficial. But like with the option of 2FA, having it on your website shows your users you're taking security seriously.

Security is like an onion Yes I did actually ask this in a Lock Down Zoom Quiz - which vegetable is security likened to? An onion. Just like an onion has lots of layers, your security practices need to be layered. There's no one thing you can do to protect your site or your users, and different types of attacks and hacks need handling in different ways. So you just need to consider what works for you and the data you hold, considering of course how sensitive it is and the cost and hurdles of implementing various security features, and take as many steps as you can to protect yourself and your customers.

The new normal. 5 ideas for improved user security

Grow your Digital Knowledge

by Lisa